Inside a Sophisticated Telegram Phishing Operation Targeting Cambodia
A deep dive into a highly organized credential theft and malware distribution campaign
Telegram users across Cambodia are currently under attack by one of the most sophisticated phishing campaigns I've analyzed this year. This isn't your typical low-effort scam page thrown together overnight—it's a meticulously structured, localized, and engineered-for-scale operation designed to steal login credentials, hijack sessions in real-time, and distribute malicious Android applications.
The attackers are impersonating official Telegram security services with alarming authenticity. Here's everything I've uncovered about how this operation works, its infrastructure, and why it matters.
TL;DR
A sophisticated, Chinese-operated cybercrime infrastructure is actively targeting Telegram users in Cambodia through a multi-stage attack combining social engineering, real-time credential theft, and Android malware distribution.
The Anatomy of the Attack

Initial Contact
Victims typically receive a message, link, or QR code claiming their Telegram account is compromised, suspended, or requires urgent security verification. The psychological manipulation is immediate: create panic, demand action.
The link redirects to a phishing page such as:
https://safe.tometele.cloud/index.html
The Deception
What victims encounter is a masterclass in social engineering:
- Professional design: A polished, mobile-responsive interface that mirrors Telegram's official styling
- Localization: Fully translated into Khmer and English, targeting the local demographic
- Urgency: Time-sensitive warnings designed to bypass critical thinking
- Multi-step verification: A fake security process that feels legitimate
Users are prompted through a carefully orchestrated flow:
- Enter their phone number
- Provide their one-time password (OTP)
- Install a "Telegram Security Component" if verification fails
Everything feels urgent. Everything feels official. And behind the scenes, attackers are monitoring every interaction in real-time.
A pixel-perfect impersonation of Telegram's official interface
The Three-Stage Attack Chain
This campaign operates through a sophisticated three-stage process that demonstrates clear operational maturity.
Stage 1: Traffic Delivery & Detection Evasion
The attackers understand platform defenses. They don't send direct phishing links that would trigger automated scanners. Instead, they've built an obfuscation system through:
app.tometele.cloud

This intermediary service generates anti-detection URLs designed to bypass link scanning systems deployed by Telegram, WeChat, and other platforms. The system also produces localized QR codes, enabling distribution through:
- Screenshot sharing
- Physical posters
- Direct mobile scanning
- Encrypted messaging apps
This multi-channel approach increases delivery success rates while reducing early detection probability.
Stage 2: Credential Harvesting & Live Session Hijacking
Once past the initial filter, victims land on high-fidelity Telegram login clones hosted across multiple domains:
web.telemyver.shopsafe.tometele.cloud
Here's where things get particularly dangerous. When a victim enters their phone number and OTP:
- Instant transmission: Credentials are immediately sent to the attacker's backend
- Synchronized login: A parallel system attempts to authenticate to Telegram in real-time
- Session takeover: If the OTP is valid, attackers hijack the session within seconds
This isn't simple credential collection—it's live account compromise.
The system also implements device fingerprinting:
localStorage.setItem('userAgentId', '147591');
This tracking identifier enables:
- Cross-session profiling
- Victim identification across multiple visits
- Behavioral analysis
- Targeted follow-up attacks
Stage 3: Malicious Android Payload Distribution
If credential harvesting fails, or as a supplementary attack vector, victims are prompted to install an Android application masquerading as a Telegram security update.
Malware Analysis
File Details:
- Filename:
TGSecurityComponents.apk - Size: 5.7 MB
- Target: Android OS
- SHA-256:
a91592f575bf8ba9a994c2ac3e4d29800248717797546f4a6e18d0cc9c6ad84b
Capabilities:
Once installed, this APK provides:
- Persistent device-level access
- Potential for SMS interception
- Contact list harvesting
- Session token extraction
- Integration into a botnet infrastructure
At this stage, the compromise extends far beyond Telegram. The device itself becomes a controlled asset.
Infrastructure Deep Dive
This operation isn't running on a single server or domain. It's a segmented, resilient infrastructure designed for scale and longevity.
Victim-Facing Infrastructure
| Hostname | IP Address | CDN | Function |
|---|---|---|---|
web.telemyver.shop | 104.21.64.98 | Cloudflare | Primary phishing interface / APK delivery |
safe.tometele.cloud | 104.21.54.49 | Cloudflare | Secondary credential harvesting node |
Security Features:
- Cloudflare protection for DDoS resilience
- Valid TLS certificates for HTTPS trust indicators
- Geographic load balancing
- Cache optimization for fast loading
Command & Control Backend
| Hostname / IP | Port | Technology | Function |
|---|---|---|---|
admin.tometele.cloud | 443 | Vue.js | Administrative dashboard |
159.223.87.34 | 7707 | Custom API | Backend synchronization |
167.99.78.228 | 3311 | WebSocket | Real-time C2 communication |
167.99.78.228 | 5000 | Flask | Telegram bot marketplace |
167.99.78.228 | 8686 | REST API | Device/agent management |

Backend Capabilities:
The infrastructure reveals:
- Real-time dashboard: Vue.js admin panel for monitoring active compromises
- WebSocket communication: Live session hijacking coordination
- API-driven synchronization: Automated Telegram authentication attempts
- Bot marketplace: A commercialized system for distributing compromised accounts
This architecture strongly suggests either a cybercrime-as-a-service operation or a highly professionalized threat actor, not a lone opportunist.
Supporting Infrastructure
| Hostname | Stack | Purpose |
|---|---|---|
app.tometele.cloud | PHP 8.0.26 / Nginx | URL obfuscation & health monitoring |
daili.tometele.cloud | Spring Boot | Proxy routing / traffic management |
Exposed Information:
Reconnaissance against health-check endpoints revealed:
PHP Version: 8.0.26
Server: Nginx
Backend: MySQL/PDO
Writable Directories: /logs/, /api/
Debug Mode: Enabled
Hosting: DigitalOcean
Critical Security Weaknesses
Despite operational sophistication, several OPSEC failures were identified:
Access Control Issues
- ✗ Directory listing enabled on
/api/and/logs/ - ✗ Write permissions on publicly accessible directories
- ✗ No authentication on health endpoints
Information Disclosure
- ✗ Debug mode exposing stack traces
- ✗ System configuration visible via
/api/health.php - ✗ PHP and framework version disclosure
Infrastructure Attribution
- ✗ Direct IP exposure on C2 servers
- ✗ Hosting infrastructure centralized on DigitalOcean
- ✗ Predictable subdomain naming patterns
These weaknesses provide opportunities for:
- Forensic analysis
- Attribution research
- Potential law enforcement intervention
- Coordinated takedown efforts
Target Analysis: Why Cambodia?
This campaign demonstrates clear focus on Cambodian Telegram users through:
Localization
- Native Khmer language interface
- Cultural familiarity in messaging tone
- Understanding of local Telegram usage patterns
Technical Targeting
- Android-first malware (dominant mobile OS in region)
- Mobile-optimized phishing pages
- QR code distribution (popular in Southeast Asia)
Threat Context
- Telegram is extensively used in Cambodia for:
- Personal communication
- Business transactions
- Cryptocurrency trading
- Gaming communities
Impact Potential
Successful account compromise enables:
- Direct Financial Fraud: Access to cryptocurrency wallets, payment apps
- Secondary Phishing: Using trusted accounts to target contacts
- Data Harvesting: Private messages, photos, documents
- Persistent Access: Long-term device control via malware
- Identity Theft: Personal information for further exploitation
Community Response & Takedown Efforts
Update from the security community:
Our research team, along with other security researchers, has successfully identified the C2 admin panel infrastructure. We're now coordinating efforts for a comprehensive takedown operation.
How You Can Help
If you have:
- Additional IOCs (Indicators of Compromise)
- Access to affected systems
- Contacts at Telegram, Cloudflare, or DigitalOcean
- Law enforcement connections in Cambodia
Please reach out. Coordinated action is essential to neutralize this threat.
Protection Recommendations
For Individual Users
Never click external Telegram security links
If you receive a security warning:
- ✓ Open the official Telegram app directly
- ✓ Check Settings → Privacy and Security → Active Sessions
- ✓ Verify through Telegram's in-app support
- ✗ Never enter your OTP on external websites
- ✗ Never install "security components" from links
If you've been compromised:
- Immediately terminate all sessions in Telegram settings
- Enable two-step verification
- Change your password
- Review recent message activity
- Alert your contacts about potential phishing from your account
- Uninstall any suspicious applications
- Consider a factory reset for infected devices
Indicators of Compromise (IOCs)
Domains
web.telemyver.shop
safe.tometele.cloud
admin.tometele.cloud
app.tometele.cloud
daili.tometele.cloud

IP Addresses
104.21.64.98
104.21.54.49
159.223.87.34
167.99.78.228
Malware Hash
SHA-256: a91592f575bf8ba9a994c2ac3e4d29800248717797546f4a6e18d0cc9c6ad84b
Network Indicators
WebSocket connections to 167.99.78.228:3311
API requests to port 7707, 5000, 8686
Final Thoughts
This campaign represents a significant escalation in regional cybercrime targeting Cambodia. The combination of technical sophistication, cultural localization, and commercialized infrastructure suggests this is not an isolated incident but rather part of a larger ecosystem.
The threat is active, ongoing, and evolving.
Awareness is the first line of defense. Share this information with your network, particularly those in Cambodia who rely on Telegram for daily communication.
If you're a security researcher, platform provider, or law enforcement agency interested in collaborative takedown efforts, let's connect.
Remember: Legitimate security services will never ask for your credentials through external links. When in doubt, go directly to the source.
Stay safe out there.
This analysis is provided for educational and defensive purposes. All technical details have been shared with relevant platform providers and law enforcement agencies.
Last Updated: February 2026
Threat Level: High
Geographic Focus: Cambodia
Primary Vector: Social Engineering + Malware
Additional Resources
P.S. — Additional Discovery: The Chinese Connection
During further investigation of the C2 infrastructure, we discovered additional resources on the same IP (167.99.78.228) that suggest this operation may be part of a larger Chinese-language cybercrime service marketplace.
What We Found
Web Panel: http://167.99.78.228:8395/
The interface displays Chinese branding:
- Title: 💯海华出海 (Hǎihuá Chūhǎi - "Haihua Going Overseas")
- Description: ❇️海华综合业务资源导航面板❇️ ("Haihua Comprehensive Business Resource Navigation Panel")
- Footer: ✅ 本站点由海华科技出品,最终解释权归海华出海团队所有! ("Produced by Haihua Technology")
Associated Telegram Channels:
@huamei404@haihuabaoguan(保管 = "custody/safekeeping")@jianpuzhaiNes
What This Means
The term "出海" (chūhǎi) literally means "going overseas" and is commonly used in Chinese business circles to describe expansion into foreign markets, particularly Southeast Asia. This branding, combined with the shared infrastructure, suggests:
- Commercialized Operation: This appears to be a cybercrime-as-a-service platform, not a one-off scam
- Chinese Operators: Targeting Southeast Asian markets from Chinese-language infrastructure
- Multiple Service Lines: The Telegram phishing campaign may be just one product in a larger catalog
- Operational Security Failure: Hosting multiple criminal services on the same IP creates a single point of failure
The Bigger Picture
This discovery indicates the Telegram phishing operation is likely part of a broader ecosystem offering various "business resources" (a euphemism for cybercrime tools) to Chinese-speaking operators targeting regional markets.
Additional IOCs:
http://167.99.78.228:8395/
@huamei404
@haihuabaoguan
@jianpuzhaiNes
These Telegram channels and the web panel warrant monitoring and potential reporting to platform abuse teams.
Attribution & Research
For inquiries, collaboration, or additional IOC sharing: Telegram: @souuJ
Disclaimer: The information in this post is provided for educational and defensive cybersecurity purposes only. It should not be used to conduct unauthorized access, attacks, or any illegal activities. Always follow responsible disclosure practices and local laws when conducting security research.